BYO generally relates to “Bring your own device” (BYOD), “bring your own technology” (BYOT), or closely related, “bring your own behavior” (BYOB). BYOD or BYOT concerns corporate/business policy of how employees can bring and use personal mobile devices at work and access employers' email, databases and files, while otherwise using such devices at home, whereby personal applications/data are accessed though the same devices. Beyond hardware, BYOB extends this to software used on the device.
Currently many employees have both their own home computer (e.g., laptop) and a computer allocated by their employer. As employees are increasingly comfortable with maintaining their own home computers, employers are moving to a model of computer ownership in which only a single computer is required. An employee may be mandated to use his/her home computer at work. This is attractive to the employers as the system's administration of the computer is in large part delegated to the employee, leading to savings. It is also attractive to the employees as they require only a single computer which they can choose following their own preferences. In addition they often receive compensation from their employers.
However, mixing corporate with personal computation on the same machine blurs the line between what belongs to the employer and what belong to the employee. If no constraint is placed on the software run on this computer then confidential corporate information may be compromised as non-corporate applications distribute or corrupt it. If the employer requires tight control over the computer then the attractiveness to the employee is lost and the employee may worry that corporate monitoring tools are compromising their privacy. There needs to be a clear separation of concerns, with what belongs to whom being easily identifiable.
The use of Virtual Machines (VMs) is often used for defining this separation, with a VM encapsulating an entire executable environment. The VM is often termed a guest operating system with the operating system (OS) on which it is executed being termed the host OS. In one simple mode of operation, the company defines a corporate image and makes this available to the employee in the form of a VM. The VM is then run on the employees' home machine. What runs within the VM is defined by the company while employees keep freedom as to what they run on the physical machine as long as there is a suitable VM manager (e.g. VMWare, Virtual Box) present.
However, while this protects the employee from the employer the contrary is not true. The present invention aims at providing solutions, which also protect the employer from the employee.
Besides, external boot media are often provided on trusted devices (including secure, tamper proof devices), which type of devices is generally known. For example, for online transactions, a solution which has been developed is the so-called Zone Trusted Information Channel (or ZTIC for short). The ZTIC is a secure, non-programmable device for the authentication of transaction data. Since the ZTIC maintains a secured end-to-end network connection to the server, the ZTIC itself is tamper-proof against malicious software attacks and as it has its own input and output components independent of the host it connects to, the data shown on the ZTIC display is genuine. More details can be found in e.g., “The Zurich Trusted Information Channel—An Efficient Defence against Man-in-the-Middle and Malicious Software Attacks”, by Thomas Weigold, Thorsten Kramp, Reto Hermann, Frank Höring, Peter Buhler, Michael Baentsch. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch (Eds.): TRUST 2008, LNCS 4968, pp. 75-91, 2008. Springer-Verlag Berlin Heidelberg 2008.